[tor-bugs] #26627 [Core Tor/Tor]: HSv3 throws many "Tried connecting to router at [IP:port], but RSA identity key was not as expected"
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Jul 6 02:41:00 UTC 2018
#26627: HSv3 throws many "Tried connecting to router at [IP:port], but RSA identity
key was not as expected"
-------------------------------------------------+-------------------------
Reporter: asn | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone: Tor:
| 0.3.5.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: security tor-relay certs handshake | Actual Points:
ed25519 035-roadmap-proposed |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by teor):
* status: needs_information => new
Comment:
> tor versions
The problematic tor versions are all 0.2.9.
0.2.9 and later support v3 rendezvous, but...
Replying to [comment:6 mahrud]:
> I assume ed25519 keys started in v0.3, so it makes sense that those
relays wouldn't support ed25519 handshakes, but why do they have three
ed25519 values in their descriptor?
0.3.0.1-alpha introduced ed25519 link authentication, using the ed25519
identity keys that had been around since 0.2.7.2-alpha. So all supported
relays have ed25519 keys, but only relays on 0.3.0.1-alpha or later use
them to authenticate their TLS connections:
With the 0.3.0 series, clients and relays now use Ed25519 keys to
authenticate their link connections to relays, rather than the old
RSA1024 keys that they used before.
https://gitweb.torproject.org/tor.git/tree/ChangeLog#n5350
All relays now maintain a stronger identity key, using the Ed25519
elliptic curve signature format. This master key is designed so
that it can be kept offline. Relays also generate an online
signing key, and a set of other Ed25519 keys and certificates.
These are all automatically regenerated and rotated as needed.
Implements part of ticket 12498.
https://gitweb.torproject.org/tor.git/tree/ChangeLog#n9291
So there are two bugs here:
v3 clients sending introduce cells include an ed25519 key for 0.2.9 and
earlier rend points, even though ed25519 link authentication can't
possibly work for those rend points:
https://gitweb.torproject.org/tor.git/tree/src/feature/hs/hs_circuit.c#n610
v3 single onion service to rend link authentication is based on untrusted
data from clients, so we should log at info, not warn:
https://gitweb.torproject.org/tor.git/tree/src/core/or/connection_or.c#n1961
(There would be a similar bug for v3 Tor2web client to intro, but Tor2web
is not supported on v3.)
This bug is similar to #21107, where directory authorities marked 0.2.9
relays as not running, because they had ed25519 identity keys, but did not
support authenticating their link handshakes with those keys. See, in
particular:
https://trac.torproject.org/projects/tor/ticket/21107#comment:9
And the fix on the client side is a one-line fix similar to:
https://gitweb.torproject.org/nickm/tor.git/commit/?h=bug21107&id=0f79fb51e5653cbc82a0066423c833cafb656542
I'll do up a branch for 0.3.2 and 0.3.5.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26627#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list